Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method to provide threat intelligence for hosted services, the method comprising: receiving data associated with a tenant's service environment, wherein the received data includes communications, stored content, metadata associated with the received data, and activities associated with the received data; correlating the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determining, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determining, based on the contextual correlation analysis, a potential impact for the threat; presenting information regarding the threat and the potential impact through an interactive visualization, wherein at least one element of the interactive visualization is actionable; determining at least one targeted user receiving the threat; presenting a listing of the determined targeted users; in response to receiving a selection of a user from the list of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and one or more selected from a group consisting of presenting a remediation action and automatically implementing a remediation action associated with the received threat.
Cybersecurity threat intelligence for cloud-hosted services. This invention addresses the need to identify and mitigate threats within a tenant's cloud service environment. The method involves collecting comprehensive data, including communications, stored content, and associated metadata and activities. This raw data is then processed through a multi-level correlation engine, leveraging metadata and activity patterns to create evaluated data. A contextual correlation analysis is performed on this evaluated data, considering specific contextual factors, to identify potential threats and assess their potential impact. The system then determines which users are targeted by the threat and presents this information, along with the threat's impact, through an interactive visualization. This visualization includes actionable elements. If a user is selected from a list of targeted users, the system can display related information such as communications, shared documents, processed documents, or used resources. Furthermore, the system can present or automatically implement remediation actions for the identified threat.
2. The method of claim 1 , further comprising: determining a user profile for the selected user; and considering the user profile in the contextual correlation analysis.
A system and method for analyzing and correlating data from multiple sources to provide contextually relevant information to a user. The method involves collecting data from various sources, such as user interactions, environmental sensors, and external databases, and processing this data to identify patterns, trends, and relationships. The processed data is then used to generate contextually relevant information, which is presented to the user in a meaningful way. The method further includes determining a user profile for the selected user, which may include preferences, behavior patterns, historical data, and other relevant attributes. The user profile is then considered in the contextual correlation analysis to tailor the information provided to the user's specific needs and preferences. This enhances the relevance and personalization of the information delivered, improving user experience and decision-making. The system may be applied in various domains, such as personalized recommendations, predictive analytics, and adaptive user interfaces, where understanding user context and preferences is crucial for delivering effective solutions.
3. The method of claim 2 , wherein the user profile includes a risk assessment of the selected user based on one or more selected from a group consisting of an exchanged communication with the selected user, shared content associated with the selected user, content accessed by the selected user, and an access location associated with the selected user.
A system and method for assessing user risk in a digital environment evaluates a user's profile to determine potential security or behavioral risks. The user profile includes a risk assessment derived from multiple data sources, such as communications exchanged with the user, content shared by or associated with the user, content accessed by the user, and the geographic or network location from which the user operates. By analyzing these factors, the system identifies patterns or anomalies that may indicate suspicious activity, such as unauthorized access, malicious intent, or policy violations. The risk assessment helps organizations enforce security policies, detect threats, and mitigate risks in real-time. The method dynamically updates the risk profile as new data becomes available, ensuring continuous monitoring and adaptive security measures. This approach enhances threat detection accuracy and reduces false positives by considering multiple contextual factors rather than relying on isolated indicators. The system may integrate with existing security frameworks to provide actionable insights for risk management and compliance.
4. The method of claim 1 , wherein presenting the received and potential threats and the potential impact comprises: displaying one or more selected from a group consisting of a chart, a map, and textual information associated with the threat and the potential impact.
This invention relates to cybersecurity threat assessment and visualization. The problem addressed is the difficulty in effectively communicating cybersecurity threats and their potential impacts to stakeholders in a clear and actionable manner. Current systems often present threat data in complex or fragmented formats, making it hard for users to quickly understand risks and prioritize responses. The invention provides a method for presenting cybersecurity threats and their potential impacts in a user-friendly format. Threat data is collected from various sources, including real-time monitoring systems and historical databases. The system analyzes this data to identify both current and potential threats, assessing their severity and likelihood. The key innovation is in how this information is displayed to users. The system presents threats and their impacts using visual and textual formats, including charts, maps, and textual descriptions. Charts may show trends or severity levels, maps can display geographic or network-based threat origins, and textual information provides detailed explanations. This multi-format approach ensures that users can quickly grasp the nature of threats and their potential consequences, enabling better decision-making and response planning. The system dynamically updates the displayed information as new threats are detected or existing threats evolve, ensuring users always have the most current data.
5. The method of claim 4 , wherein the one or more selected from a group consisting of a chart, a map, and textual information associated with the threat and the potential impact include actionable elements that, when selected, drill down on a portion of the displayed information.
This invention relates to cybersecurity threat visualization and analysis systems. The problem addressed is the difficulty in effectively presenting complex cybersecurity threat data in a way that allows users to quickly understand and act on potential risks. Existing systems often provide static or overly simplified visualizations that do not enable detailed exploration of threat details or impacts. The invention provides a method for displaying cybersecurity threat information in a user interface. The system generates visual representations of threats, such as charts, maps, or textual summaries, which include interactive elements. These elements allow users to drill down into specific portions of the displayed information for deeper analysis. For example, selecting a data point on a chart may reveal detailed threat characteristics, while clicking on a location on a map may show localized impact assessments. The interactive elements are designed to be actionable, meaning they trigger additional data retrieval or processing to provide more granular insights. The system dynamically updates the display based on user interactions, ensuring that the most relevant threat information is always accessible. This approach enhances situational awareness and decision-making for cybersecurity professionals by enabling efficient navigation through layered threat data.
6. The method of claim 4 , further comprising: enabling, based on a selected criterion, an administrator to one or more selected from a group consisting of filter the one or more visualizations and combine the one or more visualizations.
This invention relates to data visualization systems, specifically methods for enhancing the flexibility and usability of visualizations in administrative interfaces. The problem addressed is the difficulty administrators face in managing and interpreting multiple visualizations simultaneously, particularly when dealing with large datasets or complex relationships. The invention provides a solution by allowing administrators to dynamically filter and combine visualizations based on selected criteria, improving efficiency and clarity in data analysis. The method involves enabling an administrator to apply filters to one or more visualizations, allowing them to focus on specific subsets of data. Additionally, the administrator can combine multiple visualizations into a unified view, which helps in identifying patterns or correlations that may not be apparent when visualizations are viewed separately. The filtering and combining operations are based on user-defined criteria, ensuring that the visualizations adapt to the administrator's specific needs. This functionality is particularly useful in environments where real-time data monitoring and decision-making are critical, such as in business intelligence, cybersecurity, or operational analytics. By providing these capabilities, the invention enhances the administrator's ability to extract meaningful insights from data, reducing the time and effort required to analyze complex datasets. The system ensures that visualizations remain relevant and actionable, supporting more informed and timely decision-making.
7. The method of claim 1 , further comprising: searching through communications and data associated with a user associated with the received threat; and determining, based on the searching through the communications and the data associated with a user associated with the threat, affected communications and data.
This invention relates to cybersecurity, specifically to identifying and analyzing threats and their impact on user communications and data. The problem addressed is the need to efficiently determine which communications and data are affected by a detected threat, allowing for targeted remediation and minimizing disruption. The method involves receiving a threat, which may include malicious activity such as malware, unauthorized access, or data breaches. Once a threat is identified, the system searches through communications and data associated with the user linked to the threat. Communications may include emails, messages, or network traffic, while data may encompass files, databases, or stored information. The system then analyzes this information to determine which specific communications and data have been affected by the threat. This involves identifying compromised files, intercepted messages, or other indicators of exposure. The goal is to isolate and remediate only the affected portions, reducing unnecessary disruptions to unaffected systems or users. The method ensures that the scope of the threat is accurately assessed, enabling precise containment and recovery actions.
8. The method of claim 7 , further comprising: determining the remediation action based on the affected communications and data.
A system and method for network security involves detecting and responding to cyber threats by analyzing affected communications and data to determine appropriate remediation actions. The method includes monitoring network traffic to identify anomalies or malicious activities, such as unauthorized access or data breaches. Once a threat is detected, the system assesses the scope of the affected communications and data to understand the extent of the compromise. Based on this analysis, the system then selects and implements a targeted remediation action, such as isolating compromised devices, blocking malicious traffic, or restoring affected data. The remediation action is dynamically determined to ensure an effective and proportional response to the detected threat, minimizing further damage while maintaining network integrity. This approach enhances cybersecurity by providing a responsive and adaptive defense mechanism against evolving threats. The system may also log and report the remediation actions for further analysis and compliance purposes.
9. The method of claim 1 , further comprising: tailoring the one or more visualizations based on a tenant profile associated with a tenant, wherein the tenant profile includes one or more selected from a group consisting of an industry, a size, a geographical location, a hosted service ecosystem, a role, a regulatory requirement, and a legal requirement, and a threat history associated with the tenant.
This invention relates to cybersecurity visualization systems that generate and customize visual representations of security data for different users. The problem addressed is the lack of tailored security visualizations that adapt to the specific needs and context of different organizations, leading to ineffective threat detection and response. The method involves generating visualizations of security data, such as threat indicators, attack patterns, or system vulnerabilities, and then customizing these visualizations based on a tenant profile. The tenant profile includes attributes like industry, company size, geographical location, hosted service ecosystem, user role, regulatory requirements, legal requirements, and the tenant’s threat history. By analyzing these factors, the system adjusts the visualizations to highlight relevant threats, compliance risks, or operational priorities specific to the tenant. For example, a financial institution may receive visualizations emphasizing fraud detection, while a healthcare provider may focus on HIPAA compliance risks. The tailored visualizations improve threat awareness and decision-making by presenting data in a contextually relevant way.
10. The method of claim 1 , wherein the remediation action includes one or more selected from a group consisting of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, and launching of an investigation.
This invention relates to cybersecurity systems for detecting and responding to security threats in a networked environment. The problem addressed is the need for automated and effective remediation actions to mitigate security incidents once detected. Traditional systems often rely on manual intervention, which can be slow and inconsistent, allowing threats to persist or escalate. The invention provides a method for automatically executing remediation actions in response to detected security threats. The method includes identifying a security threat within a network, analyzing the threat to determine its scope and impact, and then selecting and executing one or more remediation actions to address the threat. These actions may include transmitting notifications to relevant personnel, removing affected communications and data to prevent further exposure, modifying user permissions to restrict access, resetting system configurations to a secure state, or launching an investigation to gather additional forensic evidence. The system ensures a rapid and scalable response to security incidents, reducing the window of vulnerability and minimizing potential damage. The automated nature of the remediation process enhances efficiency and consistency, ensuring that threats are addressed promptly and effectively.
11. The method of claim 1 , further comprising: presenting one or more selected from a group consisting of a threat trend, a filtering option, a configuration option, a protection status, a time range definition option, and a data export option.
This invention relates to cybersecurity systems that monitor and analyze threats to provide actionable insights. The core method involves collecting threat data from various sources, processing it to identify patterns or anomalies, and generating alerts or reports based on the analysis. The system may also apply filters to refine the data and adjust configurations to optimize threat detection. The invention further includes presenting additional features to enhance user interaction and system functionality. These features include displaying threat trends to show the evolution of threats over time, providing filtering options to narrow down threat data based on specific criteria, and offering configuration options to customize system settings. The system also presents protection status indicators to show the current security posture, time range definition options to specify the period for analysis, and data export options to save or share threat data for further review. These features collectively improve the usability and effectiveness of the threat monitoring system, enabling users to make informed decisions and take proactive measures against cyber threats.
12. A server configured to provide threat intelligence for hosted services, the server comprising: a communication interface configured to facilitate communication between another server hosting a security and compliance service, one or more client devices, and the server; a memory configured to store instructions; and one or more processors coupled to the communication interface and the memory and configured to execute a threat intelligence module, wherein the threat intelligence module is configured to: receive data associated with a tenant's service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data; correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat; present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable; determine at least one targeted user receiving the threat; present a listing of the determined targeted users; in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and automatically implement the remediation action associated with the received threat.
This invention relates to a server system designed to provide threat intelligence for hosted services, addressing the challenge of detecting and mitigating security threats in multi-tenant environments. The server includes a communication interface for interacting with security and compliance services, client devices, and other servers, along with a memory and processors executing a threat intelligence module. The module receives data from a tenant's service environment, including communications, stored content metadata, and activity logs. It correlates this data at multiple levels using metadata and activity patterns to generate a multi-stage evaluated dataset. Through contextual correlation analysis, the system identifies threats, assesses their potential impact, and determines appropriate remediation actions. A dashboard displays interactive visualizations of threat trends, threat details, and impact assessments, with actionable elements for user interaction. The system identifies targeted users affected by threats and presents their associated communications, shared documents, processed files, and used resources upon selection. Automated remediation actions are implemented to mitigate identified threats. The solution enhances threat detection and response in cloud-based environments by leveraging contextual analysis and automated workflows.
13. The server of claim 12 , wherein the remediation action includes one or more selected from a group consisting of transmission of a notification, removal of affected communications and data, modification of user permissions, resetting of a system configuration, implementation of a suggested policy, and restriction of one or more selected from a group consisting of a delete action, a share action, a copy action, a move action, an anonymous link creation, a synchronization, a site creation, a created exemption, a permission modification, a purge of email boxes, a folder movement, a user addition, and a group addition.
This invention relates to cybersecurity systems for detecting and mitigating threats in digital environments, particularly in cloud-based or networked systems. The problem addressed is the need for automated remediation actions to respond to detected security threats, such as unauthorized access, data breaches, or policy violations, without requiring manual intervention. The system includes a server configured to analyze security events and determine appropriate remediation actions based on predefined rules or machine learning models. The remediation actions are designed to neutralize threats and prevent further damage. These actions include transmitting notifications to administrators or affected users, removing compromised communications and data, modifying user permissions to restrict access, resetting system configurations to a secure state, implementing suggested security policies, and restricting specific actions that could exacerbate the threat. Restricted actions may include deleting, sharing, copying, or moving files, creating anonymous links, synchronizing data, creating new sites or exemptions, modifying permissions, purging email boxes, moving folders, adding users, or adding groups. The system dynamically selects these actions based on the nature and severity of the detected threat, ensuring a rapid and targeted response to minimize risk. The goal is to enhance security posture by automating responses to threats, reducing response time, and limiting the impact of security incidents.
14. The server of claim 12 , wherein the threat intelligence module is further configured to: enable a drill down operation on the listing of determined targeted users to determine the impact of the received threat.
15. The server of claim 12 , wherein the threat intelligence module is further configured to: determining, based on following a chain of events associated with a missed threat, a list of potentially affected communications and data, and connections between a user affected by the missed threat and other users.
This invention relates to cybersecurity systems, specifically server-based threat intelligence modules designed to analyze and mitigate missed threats in network communications. The system addresses the challenge of identifying the broader impact of undetected threats by tracking the chain of events linked to a missed threat, allowing for comprehensive risk assessment and containment. The server includes a threat intelligence module that evaluates network activity to detect threats. When a threat is missed, the module reconstructs the sequence of events leading to and following the missed threat. This reconstruction identifies all potentially affected communications, data, and network connections. Additionally, the module maps relationships between the initially affected user and other users, determining potential lateral movement or secondary exposure paths. This analysis helps security teams assess the scope of the threat and take targeted remediation actions to prevent further compromise. The system enhances threat detection by providing contextual insights into how missed threats propagate, enabling more effective incident response and reducing the risk of undetected breaches. The module's ability to trace connections between users and systems improves containment strategies, ensuring that all affected assets are identified and secured. This approach is particularly valuable in environments where threats may spread silently across multiple nodes before detection.
16. The server of claim 12 , wherein the threat intelligence module is further configured to: adjust, based on a used platform and a type of threat, a connection dashboard configuration.
A system for cybersecurity threat detection and response includes a server with a threat intelligence module that analyzes threat data to identify potential security risks. The system monitors network connections and user activities to detect anomalies or malicious behavior. The threat intelligence module processes threat intelligence feeds, historical attack patterns, and real-time network data to assess risks. It generates alerts and recommends mitigation actions to security personnel. The module also adjusts a connection dashboard configuration based on the platform being used (e.g., cloud, on-premises) and the type of threat detected (e.g., malware, phishing, DDoS). This customization ensures that security teams receive relevant and actionable insights tailored to their environment and the specific threat context. The system may integrate with existing security tools to enhance threat detection accuracy and response efficiency. The dashboard configuration adjustments may include modifying visualizations, prioritizing alerts, or filtering data to focus on the most critical threats for the given platform and threat type. This approach improves situational awareness and reduces response times by presenting information in a contextually optimized format.
17. The server of claim 16 , wherein the used platform is one selected from a group consisting of an operating system and a hosted service.
This invention describes a server equipped with a threat intelligence module that continuously collects and correlates data—including communications, stored content, metadata, and user activities—from a tenant's service environment. This module analyzes the correlated data to identify security threats, determine their potential impact, and propose remediation actions. The server then presents this information through an interactive dashboard, featuring visualizations of threat trends, detailed threat information, and impact assessments. This dashboard is dynamic, allowing the threat intelligence module to **automatically adjust its display and configuration.** Specifically, this adjustment is made based on the **type of platform being used.** This platform can be either a specific **operating system** (like Windows or Linux) or a **hosted service** (such as a cloud platform or a Software-as-a-Service application), enabling optimized presentation and functionality relevant to the environment. The system also identifies targeted users and can automatically implement suggested remediation actions.
18. A computer-readable memory device with instructions stored thereon to provide threat intelligence for hosted services, the instructions, when executed, configured to cause one or more computing devices to perform actions comprising: receive data associated with a tenant's service environment, wherein the received data includes communications, stored content metadata associated with the received data, and activities associated with the received data; correlate the received data at multiple levels based on the metadata associated with the received data and the activities associated with the received data to generate correlated and multi-stage evaluated data; determine, based on a contextual correlation analysis of the correlated and multi-stage evaluated data, a threat, wherein the contextual correlation analysis is based on one or more contextual factors; determine, based on the contextual correlation analysis, a potential impact and a remediation action associated with the threat; present a dashboard that includes one or more interactive visualizations representing one or more selected from a group consisting of threat trends, information regarding the threat, and the potential impact of the threat, wherein a portion of the one or more visualizations is actionable; customize the dashboard based on one or more selected from a group consisting of detected threat types, a tenant profile, and a platform; determine at least one targeted user receiving the threat; present a listing of the determined targeted users; in response to receiving a selection of a user from the listing of determined targeted users, presenting one or more selected from a group consisting of a communication exchanged with the selected user, a document shared by the selected user, a document processed by the selected user, and a resource used by the selected user; and automatically implement the remediation action associated with the received threat.
This invention relates to threat intelligence systems for hosted services, addressing the challenge of detecting and mitigating security threats in multi-tenant environments. The system collects data from a tenant's service environment, including communications, stored content metadata, and user activities. It correlates this data at multiple levels using metadata and activity patterns to generate a comprehensive, multi-stage evaluation. A contextual correlation analysis then identifies threats based on contextual factors such as user behavior, content type, and environmental conditions. The system assesses the potential impact of each threat and recommends remediation actions. A dashboard displays interactive visualizations of threat trends, threat details, and potential impacts, with actionable elements for user interaction. The dashboard is customizable based on threat types, tenant profiles, or platform requirements. The system identifies targeted users affected by threats and presents a listing of these users. Selecting a user reveals their communications, shared or processed documents, and used resources, providing detailed threat context. Automated remediation actions are implemented to mitigate identified threats. This approach enhances threat detection accuracy and response efficiency in hosted service environments.
19. The computer-readable memory device of claim 18 , wherein the actions further comprise: determine whether the threat is one selected from a group consisting of a targeted threat and a general threat.
A system for cybersecurity threat detection and classification analyzes network traffic or system activity to identify potential threats. The system processes data to detect anomalies or malicious patterns, then classifies the detected threats into specific categories. One classification method distinguishes between targeted threats, which are directed at specific individuals or organizations, and general threats, which are broader in scope and may affect multiple entities. The system may use machine learning, signature-based detection, or behavioral analysis to identify and categorize threats. By classifying threats, the system enables more effective response strategies, such as isolating affected systems, applying targeted patches, or deploying countermeasures. The classification process may involve analyzing threat vectors, attack patterns, or contextual data to determine the nature and intent of the threat. This approach improves threat mitigation by tailoring responses to the specific type of attack detected.
Unknown
June 30, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.